Title: Blind SQL injection in wordpress plugin event-espresso-free v3.1.37.11.L |
Author: Larry W. Cashdollar, @_larry0 |
Date: 2017-07-04 |
CVE-ID:[CVE-2017-1002026] |
CWE: |
Download Site: https://wordpress.org/plugins/event-espresso-free/ |
Vendor: https://eventespresso.com/ |
Vendor Notified: 2017-07-07 |
Vendor Contact: plugins@wordpress.org |
Advisory: http://www.vapidlabs.com/advisory.php?v=197 |
Description: Event Espresso Lite – Event Management and Registration System |
Vulnerability: The function edit_event_category does not sanitize user-supplied input via the $id parameter before passing it into an SQL statement. This allows a blind SQL attack by an authenticated user who can edit the event categories.
2-function edit_event_category(){
3- global $wpdb;
4-
5: $id=$_REQUEST['id'];
6- $results = $wpdb->get_results("SELECT * FROM ". EVENTS_CATEGORY_TABLE ." WHERE id =".$id);
7- foreach ($results as $result){
8- $category_id = $result->id;
9- $category_name = stripslashes($result->category_name);
10- $category_identifier = stripslashes($result->category_identifier);
|
Export: JSON TEXT XML |
Exploit Code:
|
Screen Shots: |
Notes: |
Larry W. Cashdollar
Larry Cashdollar
Larry W. Cashdollar vulnerability
Larry Cashdollar advisory